Seeking for an advise for your side on what looks as very simple problem - get containerized DNS working for other containers in different docker subnets.
Scenario is as following:
1.have local DNS running in container (pihole/dnsmasq, but it doesn’t matter),
2. port 53 is exposed via bridge net (dedicated)
3. all works fine for docker host and outside world
4. this DNS server should be used by all containers
Detailed explanation of above:
The problem is only with the last part - there’s no way I can get it working.
Going into detail we have network:
172.20.0.0/24 where DNS is located, let.s say at ip .5
Port mapping is done from host using bridge subnet (as more ports are used by DNS server I don’t want to expose at host level, or am proxying to them for other reasons - pihole 443, 80, etc.).
192.168.0.5/24 is external IP on docker host.
All hosts can use this DNS using 192.168.0.5.
Docker containers in different subnets, other than 172.20.0.0/24 can’t get access to this DNS using 172.20.0.5 IP for obvious docker reasons.
Idea of using docker Host IP 192.168.0.5 seems to be wise, but it gets DNAT to 172.20.0.5 and reply comes back, without reverting the NAT back to container in i.e. 172.17.0.10/24 and is dropped as has wrong source IP.
For me this is not a feature but a bug, as packet should go through network stack and following typical Linux/iptables get back the original destination IP (192.168.0.5) set as source.
Workaround could be a manual iptables rule, masking any traffic from any containers when going to the DNS IP (either docker host IP or internal docker container, but then forwarding rule would be required too).
What are your odds on it?